Protected Critical Infrastructure Information Management System (PCIIMS) Final Operating Capability (FOC)

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Protected Critical Infrastructure Information Management System (PCIIMS) Final Operating Capability (FOC)"

Transcription

1 for the Protected Critical Infrastructure Information Management System (PCIIMS) Final Operating Capability (FOC) DHS/NPPD/PIA-006(a) Contact Point Tammy Barbour Protected Critical Infrastructure Information Program Office of Infrastructure Protection National Protection and Programs Directorate (703) Reviewing Official Mary Ellen Callahan Chief Privacy Officer Department of Homeland Security (703)

2 Page 1 Abstract The Protected Critical Infrastructure Information (PCII) Program, part of the Department of Homeland Security (DHS), National Protection and Programs Directorate (NPPD), Office of Infrastructure Protection (IP), Infrastructure Information Collection Division (IICD), facilitates the sharing of PCII between the government and the private sector. The Protected Critical Infrastructure Information Management System (PCIIMS) Final Operating Capability (FOC) is an Information Technology (IT) system and the means by which PCII submissions from the private sector are received and cataloged, and PCII Authorized Users are registered and managed. The PCII Program conducted this privacy impact assessment (PIA) to analyze and evaluate the privacy impact resulting from the consolidation of the PCIIMS Initial Operating Capability (IOC) functionalities into PCIIMS FOC, as well as the collection of limited personally identifiable information (PII) from the submitting individuals and PCII Authorized Users for contact purposes. Overview It is estimated that over 85 percent of the critical infrastructures within the United States are owned and operated by the private sector. Recognizing that the private sector was reluctant to share information with the federal government for fear that it could be publicly disclosed, Congress passed the Critical Infrastructure Information Act of 2002 (6 USC 131 et seq.) (CII Act). This Act provides Critical Infrastructure Information (CII) with protection from public release and disclosure. It also charges the PCII Program Office to improve the readiness posture of the United States in order to prevent and/or respond to incidents related to our critical infrastructure by creating a new framework, which would enable the private sector to voluntarily submit sensitive information regarding the nation's critical infrastructure, such as subject material (telecom, nuclear, chemical, commerce, etc.), plans related to a site (disaster, emergency response, security, buffer zone protection, etc.), location of facility, site and asset vulnerabilities, blueprints, and any other information relevant to the protection of a facility. CII, which becomes PCII upon completion of the submission and validation process, is defined in the CII Act as: Information not customarily in the public domain and related to the security of critical infrastructure or protected systems (A) actual, potential, or threatened interference with, attack on, compromise of, or incapacitation of critical infrastructure or protected systems by either physical or computer-based attack or other similar conduct (including the misuse of or unauthorized access to all types of communications and data transmission systems) that violates federal, state, or local law, harms interstate commerce of the United States, or threatens public health or safety; (B) the ability of any critical infrastructure or protected system to resist such interference, compromise, or incapacitation, including any planned or past assessment, projection, or estimate of the vulnerability of critical infrastructure or a protected system, including security testing, risk evaluation thereto, risk management planning, or risk audit; or (C) any planned or past operational problem or solution regarding critical infrastructure or protected systems,

3 Page 2 including repair, recovery, reconstruction, insurance, or continuity, to the extent it is related to such interference, compromise, or incapacitation. 1 Entities who share CII with DHS include state and local government entities, private entities or persons, or Information Sharing and Analysis Organizations acting on behalf of their members or otherwise. These entities who submit CII to DHS for protection as PCII are referred to as submitters throughout this PIA. Collecting PCII assists government entities in protecting the nation from, and aiding in response to, acts of terrorism, natural disasters, or other emergencies, as well as assisting in the identification of vulnerabilities. The collection of PCII in a central repository gives DHS and the PCII stakeholders across the country a comprehensive view of the nation s critical infrastructure. Such a comprehensive view enables quick and effective decision-making and communication should the need for response arise. Collecting administrative contact information from submitters of PCII supports the PCII Program mission of receipt, validation, protection, and dissemination of PCII. The PCII Program limits the contact information collected to the amount of information necessary to coordinate and validate a particular CII submission. PCII protection exempts the information from the Freedom of Information Act (FOIA), state and local disclosure laws, and use in civil litigation. The submitter s contact information is considered part of the CII submission, and therefore, is afforded the same protection as the rest of the data. In September 2006, DHS further defined and developed the PCII Program through an implementing regulation, Procedures for Handling Critical Infrastructure Information; Final Rule, 6 CFR Part 29 (Final Rule). This regulation provides protections, defines terms, and outlines handling and use limitations, as well as the submission and sharing process of CII with DHS. The Final Rule also requires the use of PCIIMS to record the receipt, acknowledgement, validation, storage, dissemination, and destruction of PCII. PCIIMS FOC consolidates and integrates functions that previously existed as part of the two separate PCIIMS IOC systems, PCIIMS esubmissions and Workflow and the Program Administrative Support (PAS) system. PCIIMS FOC consolidates the two systems into one fully integrated system with three main functions: (1) esubmissions is an electronic submission functionality enabling private sector critical infrastructure personnel to submit information electronically for protection; (2) Workflow is a functionality enabling validation and protection of the PCII; and (3) User Management is where PCII Authorized Users are registered, trained, authorized, and their accounts managed. PCIIMS FOC has three user groups: (1) submitters of CII for PCII protection (e.g., state, local, or private sector entities); (2) PCII Program personnel who are DHS employees or contractors that perform the submission review, processing, validation, and administration; and (3) PCII Authorized Users who use the PCII for analyses, assessments, and other tasks in support of their homeland security duties (may include individuals outside of DHS). All PCII Program personnel with access to the PCIIMS FOC system are required to be PCII Authorized Users. However, to maintain accountability of the system and its data, not all PCII Authorized Users have direct access to the PCII contained in the PCIIMS FOC system. Only PCII Program personnel have direct access to PCII maintained within PCIIMS FOC, and PCII is disseminated to PCII Authorized Users by approved PCII Program personnel only after all sharing 1 6 USC 131(3)(A)-(C)

4 Page 3 requirements are met, including the establishment of the PCII Authorized User s need to know. Submitters are not required to be PCII Authorized Users since they are submitting CII to be considered for protections as PCII and are not using PCII for homeland security duties. As described in the CII Act and the Final Rule, PCII submissions will include PII from submitters. The PCII Program Office uses the contact information to coordinate and validate, as necessary, a particular CII submission. The PCII Program also collects PII during the PCIIMS FOC user registration process to manage PCII Authorized Users with access to the system. In both instances, the PII collected is limited to business contact information, such as: name; company; business ; business phone; and business address. CII/PCII Submission Process The submitter may share CII with DHS using one of the following methods: (1) directly to PCIIMS FOC through the esubmissions functionality; or (2) manually via , regular mail, fax, orally, in-person, etc. All information the PCII Program collects must be accompanied by an express statement and a signed certification statement from the submitter. If a submitter opts to submit information orally, the submitter must follow up with an express statement, certification statement, and documents that memorialize the oral submission, and a PCII Program official will input and upload the submission into PCIIMS FOC on the submitter s behalf The express statement affirms that: The information is voluntarily submitted to the federal government in expectation of protection from disclosure as provided by the provisions of the Critical Infrastructure Information Act of The certification statement affirms that: To the best of the submitter s knowledge, information, and belief, the information being submitted is not customarily in the public domain. The submitter attests that information is not being submitted in lieu of a regulatory requirement. The submitter is authorized to submit this information to be considered for protection under the Critical Infrastructure Information Act of Within PCIIMS FOC, the tracking of a CII submission begins with esubmissions, and is managed through the Workflow and User Management applications.

5 Page 4 esubmissions The esubmissions functionality collects submitter information (business contact information), as well as information about the CII data being submitted to DHS for protection, and then enables the submitter to upload various supporting documents and files. The esubmissions application scans the submitted documents for viruses and malware prior to the submission being accepted and inputted into the Workflow application. If the virus check fails, the submission is not accepted and the submitter must resolve the document issue prior to resubmitting. Once the submission is accepted, esubmissions provides a unique submission identification number to the submitter. Workflow The submission identification number follows the submission through the entire PCII submission, validation, approval, and storage process, which occurs in the Workflow application. The Workflow functionality is an information management application, logging CII submissions (either inputted directly from esubmissions or via a manual entry by the PCII Program personnel) and then enabling the PCII Program personnel to perform a validation process. CII submitted to the PCII Program is not restricted to any particular format. Therefore, during processing and validation, PCII Program personnel review the submission for specific PCII requirements. They also have the ability to systematically generate letters to send to a submitter for various information requests or status updates regarding the submission. Workflow creates a log of such correspondence, in addition to allowing PCII Program personnel to input their comments about a submission, such as administrative notes or status updates. Once a submission undergoes the PCII validation workflow, the PCII Program will either validate the submission as PCII, reject, or withdraw the submission. If the submission is validated as PCII, the Workflow application adds required headings, markings, cover pages, etc. to all of the applicable data, per the PCII Final Rule requirements, and stores the newly designated PCII submission in the PCIIMS FOC database indefinitely or until the original submitter requests the PCII protection to be withdrawn. If the submission is rejected or withdrawn, the system automatically removes all data related to the submission, with the exception of the submitter s certification and express statements that are required as part of the CII submission process. This retention practice conforms to the National Archives and Records Administration (NARA) records retention schedule for PCIIMS FOC. PCII Program personnel can also perform limited search and reporting capabilities on the CII and PCII submissions, including the reporting of first-level dissemination of PCII retained in the application. This Workflow functionality is only accessible from the DHS A-LAN, requiring a separate login from esubmissions and User Management functions. The search results and report information are only accessible to the PCII Program personnel. No other PCIIMS FOC system users have access. User Management The User Management functionality enables the PCII Program to manage its PCII Authorized Users. The PCII Program has a requirement to maintain a central repository of all users who are authorized to access PCII. In order for a user to become a PCII Authorized User, the user must complete several requirements, including: certify the performance of homeland security duties, sign a nondisclosure agreement (non-federal employees only), be certified for access (contractors only), and complete PCII training and subsequent exam. The PCII Program relies heavily on a distributed user

6 Page 5 management framework consisting of PCII Officers within the many Federal, State, local, and tribal government organizations, which access PCII, to oversee and manage the PCII Authorized User community. The User Management application aids the PCII Program and designated PCII Officers in the oversight and management of the PCII Authorized User community by enabling user registration, user screening, training delivery and certification, user notification, account maintenance, and PCII Program and Officer administrative tasks. All PCII Authorized Users are required to take PCII Authorized User training, which covers the consequences of loss or misuse of PCII data, including criminal and administrative penalties. After completing the PCII Authorized User training, a user may access PCII for up to one year and receives a unique PCII Authorized User number and a PCII Authorized User certificate. The User Management application automatically notifies users via before their one year PCII Authorized User status expires. To keep their PCII Authorized User status, the user must complete refresher training prior to the expiration date. To assist PCII Authorized Users in identifying other current PCII Authorized Users, before sharing PCII, the User Management application also includes an Authorized User number check feature, whereby one Authorized User can enter another user s number and the feature will return that person s name, PCII Authorized User status, expiration date, organization, and employer (if contractor). Partnership Systems The PCII Program also collects data on PCII submissions through partnership systems. Partnership systems are systems managed by PCII Officers in other federal agencies who have received an elevated training level for handling PCII. These systems collect, protect, and disseminate original PCII in a format that has been pre-approved by the PCII Program. PCII Officers in other federal agencies share their data with DHS either by granting the PCII Program access to the partnership system, sending a file by , or by transmitting a CD or hardcopy of the information by mail, if necessary. Each partnership system is required to meet the PCII requirements of the final rule and is covered by an individual memorandum of understanding (MOU) between the system owner and PCII Program, which details how information is collected, protected, and disseminated from the partnership system (See Appendices A and B). PCII Program personnel may input PCII submission metadata records from approved PCII partnership systems into the PCIIMS FOC Workflow application in a standardized XML format. Workflow stores these metadata records and enables the PCII Program to execute searches and generate reports on the data. Section 1.0 Authorities and Other Requirements 1.1 What specific legal authorities and/or agreements permit and define the collection of information by the project in question? Section 201(d) of the Homeland Security Act (6 USC 11(d)) and the CII Act authorize this collection, and the collection is done in accordance with the final rule.

7 Page What Privacy Act System of Records Notice(s) (SORN(s)) apply to the information? The PII about Submitters is not covered by the Privacy Act because the information is not retrieved by personal identifier as required by the Privacy Act. This information is covered and protected under the CII Act. The PCII Program Office collects PII for the purpose of granting access to the PCIIMS FOC system. This collection of information is covered by the DHS/ALL-004 General Information Technology Access Account Records System of Records (September 29, 2009, 74 FR 49882). 1.3 Has a system security plan been completed for the information system(s) supporting the project? The PCIIMS FOC system has a System Security Plan (SSP) that is part of the new system C&A package. This C&A package is currently undergoing review, and an ATO will be granted before the system goes live (expected to go live in July 2011). The current production system (PCIIMS IOC) has an ATO that was signed September 9, 2010 and is valid for three years. 1.4 Does a records retention schedule approved by the National Archives and Records Administration (NARA) exist? The following records schedules cover PCIIMS FOC and have been approved by NARA: Job No. N , which covers the PCIIMS system, and N , which covers CII submissions. 1.5 If the information is covered by the Paperwork Reduction Act (PRA), provide the OMB Control number and the agency number for the collection. If there are multiple forms, include a list in an appendix. Per 6 CFR 29, Volume 71, Number 170: Under the Paperwork Reduction Act of 1995, 44 U.S.C (PRA), a Federal agency must obtain approval from the OMB for each collection of information it conducts, sponsors, or requires through regulations. The Final Rule for the Procedures for handling Critical Infrastructure Information does not contain provisions for collection of information, does not meet the definition of information collection as defined under 5 CFR Part 1320, and is therefore exempt from the requirements of the PRA. Accordingly, there is no requirement to obtain OMB approval for information collection. 2 However, the final rule does not exempt partnership systems, and as such, each partnership system may be required to follow PRA guidelines. Section 2.0 Characterization of the Information The following questions are intended to define the scope of the information requested and/or collected, as well as reasons for its collection. 2 Procedures for Handling Critical Infrastructure Information; Final Rule, Preamble V(H), 6 CFR part 29 (2006).

8 Page Identify the information the project collects, uses, disseminates, or maintains. The esubmissions functionality of PCIIMS FOC collects limited contact information from individuals submitting CII to DHS. The contact information consists of full name, business title, business address, business telephone, and business fax number and is used by DHS to contact the submitter in the event there are any questions about the submission during the verification process. Information regarding the critical infrastructure itself comprises the rest of the submission and does not include PII. The types of information that PCIIMS FOC collects may include the subject material (e.g., telecom, nuclear, chemical, commerce, etc.), plans related to a site (e.g., disaster, emergency response, security, buffer zone protection, etc.), location of facility or site, asset vulnerabilities, blueprints, and/or any other information relevant to the protection of a facility. The types of information PCIIMS collects are specific to each site. For example, if the facility stores any amount of chemical matter, the submission would detail the amount, type, location, and storage of such material. Additionally, each entry requires a Certification Statement. The Certification Statement certifies that the submitter believes the information meets the statutory requirements. Each entry also contains an express statement from the submitter officially requesting that the CII be protected. The user management functionality of PCIIMS FOC also collects business contact information (e.g., name, , business address, business phone, and organization) on personnel that are PCII Authorized Users. Future PCIIMS FOC functionality may include the ability for PCII Authorized Users to search for other PCII Authorized Users by their business contact information. 2.2 What are the sources of the information and how is the information collected for the project? The original source of information that the PCII Program collects is always the submitter. Submitters may submit CII for protection as PCII to DHS through one of the following methods: (1) directly to PCIIMS FOC through the esubmissions functionality; or (2) manually via , regular mail, fax, orally, in-person, etc., in which case a PCII Program official inputs and uploads the submission into PCIIMS FOC on the submitter s behalf. In the case of faxed or hard copy submissions, a PCII Program official scans and uploads the information to PCIIMS FOC. Original, hard copy documents are stored in a safe. When information is not collected directly by the PCII Program, it is collected through partnership systems, which are systems managed by PCII Officers in other federal agencies who have received an elevated training level for handling PCII. Partnership systems collect, protect and disseminate original PCII in a format that has been pre-approved by the PCII Program. The data is shared with the PCII Program office either by granting access to the partnership system, sending a file by , or by transmitting a CD or hardcopy of the information by mail, if necessary. Each partnership system is required to meet the PCII requirements of the Final rule and is covered by an individual memorandum of understanding (MOU) between the system owner and the PCII Program, which details how information is collected, protected and disseminated from the partnership system (See Appendices A and B).

9 Page 8 Additionally, the User Management functionality of PCIIMS FOC collects business contact information (e.g., name, , business address, business phone, and organization) directly from individuals that are applying to be PCII Authorized Users. 2.3 Does the project use information from commercial sources or publicly available data? If so, explain why and how this information is used. All information collected by PCIIMS FOC is provided by the individual, not collected from commercial sources or otherwise obtained from public records. 2.4 Discuss how accuracy of the data is ensured. The PCII Program office verifies the submitter s contact information at the time of the CII submission. PCII Program personnel review the information contained in the submitting entity's submission and express and certification statements, as it is inputted into the esubmissions functionality of the PCIIMS FOC. In the case of an oral submission, the submitter must follow up with written documents to memorialize the submission, which are then reviewed by PCII Program personnel. Upon receipt and review of the submission, the PCII Program issues an acknowledgment to the submitter, at which point the submitter may verify the accuracy of their contact information. Established standard operating procedures require that the information be reviewed by a trained federal employee to ensure the submission either does or does not qualify for PCII protection and to check for accuracy. Once the information has been processed by the employee, only the Program Manager of the PCII Program Office is able to validate the submission before it is stored as read-only in the PCIIMS FOC. Once the data is stored as PCII, no changes are made to the submission, including the contact information, unless DHS is specifically notified to do so. Notifications would include, for example, a submitter contacting the help desk to update their information or to withdraw protections from their submissions. Notifications are also sent to PCII Authorized Users via to conduct various PCIIMS FOC user management activities, including training renewal notices and password resets. Responses to these notifications ensure that the contact information within PCIIMS FOC is up to date. A non-response would trigger the PCIIMS FOC system to remove the user, as required by the PCII Program policy. 2.5 Privacy Impact Analysis: Related to Characterization of the Information Privacy Risk: There is a risk that more PII than is needed will be collected and retained. Mitigation: The PCII Program Office limits the information collected to only that business contact information necessary to coordinate and validate a particular PCII submission or to perform PCII Authorized User management activities. Information entered is limited by the fields that are available in the user management functionality of PCIIMS FOC.

10 Page 9 Section 3.0 Uses of the Information The following questions require a clear description of the project s use of information. 3.1 Describe how and why the project uses the information. The PCII Program Office and PCII Authorized Users utilize PCII to prepare the nation for acts of terrorism, natural disasters, or other emergencies, as well as to assist in the identification of vulnerabilities. PCII Authorized Users may include PCII Analysts within the Department s PCII Program Office and other authorized government users to include federal, state, local, or tribal agents and their contractors. PCII information is also used by federal, state, and local governments in response to natural disaster recovery efforts. The PCII Program Office may communicate requests to submitting entities in support of the PCII Program Office's mission of receipt, validation, protection, and dissemination of PCII. The submitter s contact information is considered part of the CII submission, and therefore, is afforded the same protection as the rest of the data. The PCII Program Office uses contact information to contact the submitting entity with questions related to the CII submission. Once protected, the PII and CII combine to form PCII. The PCII is disseminated only to PCII Authorized Users with the need to know. PCII Authorized Users are identified by their unique user number. Authorized Users PII is maintained by PCIIMS solely to contact the individual for PCII Program office oversight activity. 3.2 Does the project use technology to conduct electronic searches, queries, or analyses in an electronic database to discover or locate a predictive pattern or an anomaly? If so, state how DHS plans to use such results. While PCII Analysts and others examine relationships between critical infrastructure sites in certain regions or sectors, submitter and Authorized User contact information is not analyzed in any way. 3.3 Are there other components with assigned roles and responsibilities within the system? The PCII Program Office shares PCII with PCII Authorized Users, as necessary, to support mission requirements. All PCII Authorized Users must demonstrate a valid need to know before receiving any protected information. Additionally, any organization that develops a relationship with the PCII Program Office must develop programs for receiving, handling, and using PCII in their respective critical infrastructure programs. They also must complete certification to receive PCII. A list of components or directorates within the Department with which the information is shared is maintained by the PCII Program Office.

11 Page Privacy Impact Analysis: Related to the Uses of Information Privacy Risk: There is a risk of misuse of PII collected as part of a CII submission. Mitigation: This risk is mitigated in that the entire submission (including PII), once validated, is protected as PCII. Therefore, any PII collected is afforded the same protection as PCII, and the uses of PCII are specifically defined in the Final Rule. DHS limits the use of the contact information to the coordination and validation of a PCII response. All PCII Authorized Users who receive PCII and, by necessity, process contact information, receive PCII training. All DHS employees are required to complete annual privacy training, which covers the appropriate use and handling of PII. Additionally, PCII Program users are authorized access to only the information necessary for the completion of their duties. These role-based access measures help to mitigate potential misuse of PII. Section 4.0 Notice The following questions seek information about the project s notice to the individual about the information collected, the right to consent to uses of said information, and the right to decline to provide information. 4.1 How does the project provide individuals notice prior to the collection of information? If notice is not provided, explain why not. Entities that submit CII and associated business contact information to DHS do so voluntarily, and DHS requires that each submission is accompanied by a signed certification and express statement, ensuring the submitter acknowledges the voluntary nature of the program. Entities, including the individual submitters, are provided with specifics about the program in the Final Rule. The PCII Program Office provides notice at the time of collection to individuals applying to be authorized users in the form of a Privacy Act statement, in this PIA, and the DHS/ALL-004 General Information Technology Access Account Records System of Records (September 29, 2009, 74 FR 49882). 4.2 What opportunities are available for individuals to consent to uses, decline to provide information, or opt out of the project? The PCII Program Office may need to contact a submitter for additional information in order to complete a validation of submitted material. In such instances, the submitter can decline to provide any additional information or may withdraw the submission before it is validated. The PCII Program Office does not accept anonymous submissions. If a submitter declines to provide their contact information that would indicate that they choose not to participate in the PCII Program. PCII Authorized Users are not provided ability to specifically consent to particular uses. Individuals who choose not to provide all the information necessary, may not be approved as a PCII Authorized User.

12 Page Privacy Impact Analysis: Related to Notice Privacy Risk: There is a risk that submitters or PCII Authorized Users will not be provided with adequate notice as to how their PII will be used. Mitigation: This risk is mitigated in that the PCII Program has a direct relationship with both submitters and PCII Authorized Users and ensures that notice provided to individuals is robust. For example, this PIA and the Final Rule provide detailed notice regarding the use of any PII provided to the PCII Program office. Once an entity chooses to submit information, they are aware of the extent of the information that is required, including the limited amount of contact information collected and the limited use of the contact information. Additionally, submitters of CII sign certification and express statements, certifying that information submitted to the PCII Program is done so voluntarily by the individual. For Authorized Users, the PCII Program Office provides notice to individuals in the form of a Privacy Act statement at the time of collection, and further notice is provided in the DHS/ALL-004 General Information Technology Access Account Records System of Records (September 29, 2009, 74 FR 49882). This notice also ensures that individuals are aware of how to access and correct their records maintained within PCIIMS FOC. Section 5.0 Data Retention by the project The following questions are intended to outline how long the project retains the information after the initial collection. 5.1 Explain how long and for what reason the information is retained. DHS worked with the National Archives and Records Administration (NARA) to develop a retention schedule for the records maintained within PCIIMS FOC. This retention schedule was designed to protect PCII maintained within the system to the maximum extent practicable and consistent with the CII Act. CII submissions that are validated as PCII are maintained indefinitely or until the PCII Program office determines that information may no longer be protected under the CII Act, in which case the status is changed from PCII to non-pcii. Status changes occur when: (1) the submitter requests in writing that the information no longer be protected under the CII Act; or (2) the PCII Program office determines that the information was, at the time of the submission, customarily in the public domain. CII submissions that are rejected are removed from the system with the exception of the certification and express statements and reason for rejection, which are maintained for administrative tracking purposes. Similarly, when status changes occur, the substantive information from the submission is removed from the system, and only the certification and express statements, reason for removal, and submission metadata are retained, as outlined in the NARA guidelines. When information no longer requires protection, a submitter may request that the information be returned to them. Otherwise, it is removed from PCIIMS FOC and destroyed. Per NARA guidance, the PCII Program maintains the following categories of information, and then retains them, as follows:

13 Page 12 Per NARA Job No. N : Critical Infrastructure Information Submissions in all media formats that do not meet PCII criteria: Return to submitter if requested, or destroy within 30 calendar days of making the final nonprotection determination in accordance with provisions found in 6 CFR Part 29, or when no longer needed for current business, whichever is later. and word processing documents related to Non-Protected CII submissions: a. Copies that have no further value after the recordkeeping copy is made: Delete/destroy within 180 days after the recordkeeping copy has been produced b. Copies used for dissemination, revision, or updating that are maintained in addition to the recordkeeping copy: Delete/destroy when dissemination, revision, and updating is complete. Per NARA Job No. N : Critical Infrastructure Information Submissions: Return to submitter or destroy within 30 days of a change in submission status from PCII to non-pcii. Workflow/Protected Subsystem: Destroy 20 years after the PCII has changed submission status from PCII to non-pcii. Metadata Repository Subsystem: Destroy 20 years after the PCII has changed submission status from PCII to non-pcii. Related Records: Destroy 20 years after either the initial status determination of the associated submission or the PCII submission has changed status from PCII to non-pcii. 5.2 Privacy Impact Analysis: Related to Retention Privacy Risk: There is a risk that PII contained in a CII submission may be retained longer than necessary. Mitigation: The above risk is mitigated in that information is only retained for as long as necessary and relevant to the PCII Program mission. Submitters can request that information no longer requiring protection be removed from the system. DHS follows NARA guidance regarding purging PII that is no longer relevant or necessary, as described in 5.1, and the PCII Program Office undergoes yearly compliance auditing. Additionally, all PCII Program Office personnel are required to follow the PCII Validation Standard Operating Procedure (SOP) when reviewing CII submitted for protection. By following this SOP and the PCII Procedures Manual, the PCII program office ensures that CII failing to qualify for PCII protections is returned (if requested by the submitter) and destroyed. Section 6.0 Information Sharing The following questions are intended to describe the scope of the project information sharing external to the Department. External sharing encompasses sharing with other federal, state, local, and tribal government and private sector entities.

14 Page Is information shared outside of DHS as part of the normal agency operations? If so, identify the organization(s) and how the information is accessed and how it is to be used. The PCII Program shares PCII data with other federal, state, local, tribal, and territorial governments and their contractors, as necessary, to meet mission requirements through PCIIMS FOC and partnership systems. These partnership systems are systems managed by other federal agencies that collect, protect, and disseminate original PCII in a format that has been pre-approved by the PCII Program. Data from partnership systems is shared with the PCII Program by the partnership system granting access to the partnership system, sending a file by , or by transmitting a CD or hardcopy of the information by mail, if necessary. Each partnership system is required to meet the PCII requirements of the Final rule and is covered by an individual memorandum of understanding (MOU) between the system owner and PCII Program, which details how information is collected, protected and disseminated from the partnership system (See Appendices A and B). A list of partnership systems is maintained by the PCII Program Office. PCII Authorized User data is not shared outside of DHS as part of normal agency operations. 6.2 Describe how the external sharing noted in 6.1 is compatible with the SORN noted in 1.2. The purpose of the PCII Program is to protect and share PCII with federal, state, and local agencies when it is needed, as outlined in the CII Act. The purpose of collecting PII with the CII submissions is to communicate with the submitter. The purpose of collecting PII for Authorized Users is to facilitate the maintenance of the PCII authorized user status and for the PCII Program Office to manage the PCII Authorized Users PCII related activities. Authorized User information is shared in accordance with DHS/ALL-004 General Information Technology Access Account Records System of Records (September 29, 2009, 74 FR 49882). 6.3 Does the project place limitations on re-dissemination? Information is re-disseminated and shared in accordance with the security defined in the Final Rule for Procedures for Handling Critical Infrastructure Information, 6 CFR Part 29. Limitations on redissemination include the requirement that all personnel receiving or viewing PCII have a need-to-know and also be a PCII Authorized User. 6.4 Describe how the project maintains a record of any disclosures outside of the Department. Information is only disclosed from PCIIMS to PCII Authorized Users via hardcopy, CD-ROM, or encrypted . The PCII is shared through the PCII Program Office and is then electronically recorded in PCIIMS as the first level of dissemination. This record includes who received the data, the PCII identification number associated with the PCII, when the dissemination occurred, and the format in

15 Page 14 which it was shared. Any subsequent dissemination is recorded by the responsible PCII Authorized User of that PCII, as indicated in the PCII authorized user training and Procedures Manual. Partnership systems are also required to follow this dissemination process. 6.5 Privacy Impact Analysis: Related to Information Sharing Privacy Risk: There is a privacy risk that PCII data shared outside of DHS is lost or misused. Mitigation: This risk is mitigated by processes in place whereby any external entity that develops a relationship with the PCII Program Office must first complete certification to receive PCII and then develop programs for receiving, handling, and using PCII in their respective critical infrastructure programs. PCIIMS PCII is only shared via hardcopy, encrypted CD-ROM, or encrypted . All PCII Authorized Users are required to take PCII Authorized User training annually, which covers the consequences of loss or misuse of PCII data, including criminal and administrative penalties. Section 7.0 Redress The following questions seek information about processes in place for individuals to seek redress which may include access to records about themselves, ensuring the accuracy of the information collected about them, and/or filing complaints. 7.1 What are the procedures that allow individuals to access their information? As noted above, once the PCII and submitter s contact information is entered into PCIIMS FOC, it is designated as part of the entire PCII submission. As such, it is protected, and only PCII Authorized Users and the submitters themselves will have access to the submitted information. The PII associated with the submission is not covered by the Privacy Act because the information is not retrieved by personal identifier. PCII is exempt from release under the Freedom of Information Act (FOIA). Submitters do not have direct access to their information, but can request updates or changes to their previously submitted information or can request that the status of their information be changed from PCII to non-pcii and retained, returned, or destroyed. Authorized users may contact the PCII Program Manager for access to their information. Individuals seeking access to any record containing information about themselves that is part of a DHS system of records, or seeking to contest the accuracy of its content, may submit a FOIA or Privacy Act request to DHS. The procedures for submitting FOIA requests are available in 6 CFR Part 5. Please write to FOIA, U.S. Department of Homeland Security, National Programs and Protection Directorate, Attn: FOIA Officer, Washington, D.C Individuals may also make informal inquiries to

16 Page What procedures are in place to allow the subject individual to correct inaccurate or erroneous information? Individuals should notify the PCII Program Manager of any erroneous information found in the entity s contact information. Currently, the system provides two methods for correcting erroneous information: (1) deletion of the submission containing erroneous information and the creation of a new entry; or (2) by submitting an update to the erroneous submission. 7.3 How does the project notify individuals about the procedures for correcting their information? Notice to the individual submitting CII information is described via communication with the PCII program office and in this PIA. For Authorized Users, the PCII Program Office provides notice to individuals in the form of a Privacy Act statement at the time of collection, in this PIA, and the DHS/ALL-004 General Information Technology Access Account Records System of Records (September 29, 2009, 74 FR 49882). 7.4 Privacy Impact Analysis: Related to Redress Privacy Risk: As an individual cannot access their information once submitted, there is a risk that the PCIIMS FOC system may contain inaccurate information. The submitters and Authorized Users may be unaware of inaccuracies. Mitigation: Once an individual submits CII and that information is protected, only the PCII, not the individual s personal information, is mission-critical. Therefore, if the personal information is inaccurate, it does not affect the overall PCII mission. Further, the individual s information is not analyzed or evaluated in any way and only needs to be correct at the time of submission, in the event the individual needs to be contacted to provide further clarification of the CII submission. If the PCII Program is unable to contact the submitter to clarify submission information within 30 days of receiving the submission, per the Final Rule, the CII submission is not validated as PCII and will be destroyed. Authorized Users PII will be verified yearly during their re-certification training, and they also have the ability to update their personal profiles, as necessary. Section 8.0 Auditing and Accountability The following questions are intended to describe technical and policy based safeguards and security measures. 8.1 How does the project ensure that the information is used in accordance with stated practices in this PIA? All uses of the information are specifically defined in the Final Rule for Procedures for Handling Critical Infrastructure Information, 6 CFR Part 29, as well as the DHS/ALL-004 General Information Technology Access Account Records System of Records (September 29, 2009, 74 FR 49882). The uses of the contact information are limited to the coordination and validation of a PCII response.

17 Page 16 Additionally, PCIIMS users are authorized to see only the information necessary for the completion of their duties. Any access to PCII data is logged and regularly audited. Only PCII Authorized Users with a valid need to know can use PCII. PCII Authorized Users must maintain their PCII authorized status annually by completing training requirements, of which they are alerted by automated from the system. If the requirement is not met, their PCII authorized status is revoked, and their information is removed from the system. 8.2 Describe what privacy training is provided to users either generally or specifically relevant to the project. PCII Authorized Users undergo computer-based PCII training that is necessary for any individual, internal or external to DHS, to handle PCII. All DHS federal and contractor personnel with access to PCII within PCIIMS undergo DHS privacy training, which includes a discussion of Fair Information Practice Principles (FIPPs) and instructions on handling PII in accordance with FIPPs and DHS privacy policy. Additionally, all DHS federal and contractor personnel are required to complete annual privacy refresher training to retain system access. In addition, security training is provided on an annual basis, which will help to maintain the level of awareness for protecting PII. DHS will report on employees, including contractors, who receive IT security and privacy training, as required by FISMA. 8.3 What procedures are in place to determine which users may access the information and how does the project determine who has access? PCII may only be disseminated to PCII Authorized Users with a validated need to know. In order to become a PCII Authorized User, individuals must go through a vetting process, to include passing PCII Authorized User training and receiving certification for proper handling of PCII. Statutory guidelines provide that the Under Secretary for NPPD or the Under Secretary s designee may choose to provide or authorize access to PCII when it is determined that this access supports a lawful and authorized government purpose, as enumerated in the CII Act, other law, regulation, or legal authority. Any disclosure or use of PCII within the Federal government is limited by the terms of the CII Act. The PCII Program Office Procedures Manual, PCII System Security Plan, and the Final Rule document the criteria, procedures, controls, and responsibilities regarding access.

18 Page How does the project review and approve information sharing agreements, MOUs, new uses of the information, new access to the system by organizations within DHS and outside? All PCIIMS FOC system access requests and MOUs are reviewed by the PCII Program Office and the PCII Program Manager for approval. The PCIIMS FOC MOU template was written in coordination with the DHS Office of General Counsel. Responsible Officials Tammy Barbour Protected Critical Infrastructure Information Program National Protection and Programs Directorate Department of Homeland Security Approval Signature [Original signed copy on file with the DHS Privacy Office] Mary Ellen Callahan Chief Privacy Officer Department of Homeland Security

19 Page 18 APPENDIX A PROTECTED CRITICAL INFRASTRUCTURE INFORMATION (PCII) PROGRAM MEMORANDUM OF AGREEMENT Department of Homeland Security Memorandum of Agreement with Federal Agencies for Access to Protected Critical Infrastructure Information 1. Parties: The parties to this Memorandum of Agreement (MOA) are the Department of Homeland Security, through its Protected Critical Infrastructure Information Program Office (hereinafter referred to as DHS ), and the (hereinafter referred to as the Recipient ). 2. Authorities: DHS and the Recipient are authorized to enter into this MOA under the Critical Infrastructure Information Act of 2002, Subtitle B of Title II of the Homeland Security Act of 2002, 6 U.S.C ( CII Act ), and 6 C.F.R. Part Purpose: The purpose of this MOA is to set forth the agreed terms and conditions under which Protected Critical Infrastructure Information (PCII) is provided to the Recipient. The CII Act, establishes the statutory requirements for the submission and protection of critical infrastructure information ( CII ). Under 6 U.S.C. 133(e), DHS is required to establish uniform procedures for the receipt, care, and storage of PCII by Federal agencies. These procedures have been set forth in the Code of Federal Regulations at 6 C.F.R. Part 29. Specifically, 6 C.F.R outlines the requirements for sharing information with Federal agencies and Federal contractors. The PCII Program Procedures Manual provides further guidance, and requires that Federal agencies that obtain PCII from and through the PCII Program Manager (PM) enter into an MOA. This MOA fulfills that requirement. Furthermore, the PCII Program Office must accredit recipient entities as part of accessing PCII. 4. Responsibilities: A. DHS will: (i) Accredit the Recipient and appoint a PCII Officer and PM designee, if

20 Page 19 applicable, provided that the entity has satisfied the accreditation requirements set forth in Section 4.B.(ii) below. (ii) Provide access to PCII to the Recipient for the purposes set forth in the CII Act and under the conditions outlined in this MOA; (iii) Validate CII or pre-validate categorical inclusions of certain types of CII as PCII; (iv) Delegate, as appropriate and necessary, certain functions of the PCII Program Office, to an identified PM designee; (v) Obtain written consent, as applicable, from the person or entity that submitted the information or on whose behalf the information was submitted, before that information is disclosed by the Recipient to an unauthorized party ; (vi) Provide applicable procedures and guidelines for the receipt, safeguarding, handling and dissemination of PCII; (vii) Train the Recipient s PCII Officer(s) and PM s designee(s) and be available for consultation and guidance; (viii) Provide content and format for training of individuals seeking authorization to access PCII; and (ix) Assist the Recipient in issuing any alerts, advisories and warnings that require DHS prior approval as set forth in 6 C.F.R. 29.8(e). B. The Recipient will: (i) Warrant and agree that each of its employees and contractors who will have access to PCII is familiar with, will be trained in, and will comply with, the statutes, regulations, and rules that address PCII set forth in the CII Act, 6 C.F.R. Part 29, the DHS PCII Program Procedures Manual, and other relevant guidance issued by the PCII PM, and will periodically check such guidance for updates and amendments; (ii) Use its best efforts, and cooperate with the PCII Program Office, to become accredited as expeditiously as possible, by: (a) Submitting an application (b) Signing this MOA (c) Nominating a PCII Officer (d) Nominating a PCII PM designee, if applicable (e) Ensuring that the PCII Officer and the PCII PM designee complete their training (f) Completing and implementing a self-inspection plan in conjunction with Standard Operating Procedures for safeguarding, handling and disseminating PCII (g) Ensuring that the PCII Officer certifies any contractors (h) Ensuring that any contractors sign a Non-Disclosure Agreement in the form prescribed by the PCII Program Office

E-Mail Secure Gateway (EMSG)

E-Mail Secure Gateway (EMSG) for the E-Mail Secure Gateway (EMSG) DHS/MGMT/PIA-006 March 22, 2012 Contact Point David Jones MGMT/OCIO/ITSO/ESDO DHS HQ (202) 447-0167 Reviewing Official Mary Ellen Callahan Chief Privacy Officer Department

More information

Department of Homeland Security Web Portals

Department of Homeland Security Web Portals for the Department of Homeland Security Web Portals June 15, 2009 Contact Point Mary Ellen Callahan Chief Privacy Officer Department of Homeland Security (703) 235-0780 Page 2 Abstract Many Department

More information

Physical Access Control System

Physical Access Control System for the Physical Access Control System DHS/ALL 039 June 9, 2011 Contact Point David S. Coven Chief, Access Control Branch (202) 282-8742 Reviewing Official Mary Ellen Callahan Chief Privacy Officer (703)

More information

Integrated Financial Management Information System (IFMIS) Merger

Integrated Financial Management Information System (IFMIS) Merger for the Information System (IFMIS) Merger DHS/FEMA/PIA-020 December 16, 2011 Contact Point Michael Thaggard Office of Chief Financial Officer (202) 212-8192 Reviewing Official Mary Ellen Callahan Chief

More information

REMEDY Enterprise Services Management System

REMEDY Enterprise Services Management System for the Enterprise Services Management System April 28, 2016 Contact Point Marshall Nolan Border Enforcement and Management Systems Division Office of Information Technology U.S. Customs & Border Protection

More information

Port Authority of New York/New Jersey Secure Worker Access Consortium Vetting Services

Port Authority of New York/New Jersey Secure Worker Access Consortium Vetting Services for the Port Authority of New York/New Jersey Secure Worker Access Consortium Vetting Services DHS/TSA/PIA-040 November 14, 2012 Contact Point Joseph Salvator Office of Intelligence & Analysis Joseph.Salvator@tsa.dhs.gov

More information

Student Administration and Scheduling System

Student Administration and Scheduling System for the Student Administration and Scheduling System DHS/FLETC/PIA-002 February 12, 2013 Contact Point William H. Dooley Chief, Office of IT Budget, Policy, & Plans (912) 261-4524 Reviewing Official Jonathan

More information

Homeland Security Virtual Assistance Center

Homeland Security Virtual Assistance Center for the Homeland Security Virtual Assistance Center November 3, 2008 Contact Point Donald M. Lumpkins National Preparedness Directorate (FEMA) (202) 786-9754 Reviewing Official Hugo Teufel III Chief Privacy

More information

Canine Website System (CWS System) DHS/TSA/PIA-036 January 13, 2012

Canine Website System (CWS System) DHS/TSA/PIA-036 January 13, 2012 for the (CWS System) DHS/TSA/PIA-036 January 13, 2012 Contact Point Carolyn Y. Dorgham Program Manager, National Explosives Detection Canine Team Program Carolyn.Dorgham@dhs.gov Reviewing Official Mary

More information

NOC Patriot Report Database

NOC Patriot Report Database for the NOC Patriot Report Database December 7, 2010 Contact Point Ashley Tyler Department of Homeland Security Office of Operations and Coordination and Planning Reviewing Official Mary Ellen Callahan

More information

Digital Mail Pilot Program

Digital Mail Pilot Program for the Digital Mail Pilot Program June 18, 2010 Contact Point Ronald Boatwright Program Manager, Mail Management (202) 343-4220 Reviewing Official Mary Ellen Callahan Chief Privacy Officer Department

More information

Protected Critical Infrastructure Information Program Procedures Manual

Protected Critical Infrastructure Information Program Procedures Manual Protected Critical Infrastructure Information Program Procedures Manual April 2009 PCII PROGRAM PROCEDURES AND GUIDANCE MANUAL As you read this Manual and participate in the PCII Program, you may have

More information

Automated Threat Prioritization Web Service

Automated Threat Prioritization Web Service for the Automated Threat Prioritization Web Service DHS/ICE/PIA-028 June 6, 2011 Contact Point Luke McCormack Chief Information Officer U.S. Immigration and Customs Enforcement (202) 732-3100 Reviewing

More information

CASE MATTER MANAGEMENT TRACKING SYSTEM

CASE MATTER MANAGEMENT TRACKING SYSTEM for the CASE MATTER MANAGEMENT TRACKING SYSTEM September 25, 2009 Contact Point Mr. Donald A. Pedersen Commandant (CG-0948) (202) 372-3818 Reviewing Official Mary Ellen Callahan Chief Privacy Officer Department

More information

Advanced Call Center Network Platform

Advanced Call Center Network Platform for the Platform DHS/FEMA/PIA-021 March 23, 2012 Contact Point Chris Portesi Contact Center Telecommunications Section (CCTS) Texas National Processing Service Center (940) 891-8772 Reviewing Official

More information

Clearances, Logistics, Employees, Applicants, and Recruitment (CLEAR)

Clearances, Logistics, Employees, Applicants, and Recruitment (CLEAR) for Clearances, Logistics, Employees, Applicants, and Recruitment (CLEAR) DHS/USSS/PIA-013 January 3, 2013 Contact Point Latita M. Payne, Privacy Officer United States Secret Service (202) 406-5838 Reviewing

More information

Bonds Online System (ebonds) - Phase One

Bonds Online System (ebonds) - Phase One for the Bonds Online System (ebonds) - Phase One July 14, 2009 Contact Point James T. Hayes, Jr. Director, Office of Detention and Removal U.S. Immigration and Customs Enforcement (202) 732-3100 Reviewing

More information

Authentication and Provisioning Services (APS)

Authentication and Provisioning Services (APS) for the (APS) DHS/FEMA/PIA-031 August 6, 2013 Contact Point Tina Wallace-Fincher Information Technology Security Branch FEMA Information Technology (202) 646-4605 Reviewing Official Jonathan R. Cantor

More information

Medical Credentials Management System

Medical Credentials Management System for the Medical Credentials Management System February 10, 2011 Contact Point Kathryn Brinsfield Director, Workforce Health and Medical Support Division Office of Health Affairs 202-254-6479 Reviewing

More information

Stakeholder Engagement Initiative: Customer Relationship Management

Stakeholder Engagement Initiative: Customer Relationship Management for the Stakeholder Engagement Initiative: December 10, 2009 Contact Point Christine Campigotto Private Sector Office Policy 202-612-1623 Reviewing Official Mary Ellen Callahan Chief Privacy Officer Department

More information

Department of Homeland Security Use of Google Analytics

Department of Homeland Security Use of Google Analytics for the DHS/ALL 033 June 9, 2011 Contact Point Kathleen McShea Director of New Media and Web Communications Office of Public Affairs (202) 282-8166 Reviewing Official Mary Ellen Callahan Chief Privacy

More information

H. R. 5005 11 SEC. 201. DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

H. R. 5005 11 SEC. 201. DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION. H. R. 5005 11 (d) OTHER OFFICERS. To assist the Secretary in the performance of the Secretary s functions, there are the following officers, appointed by the President: (1) A Director of the Secret Service.

More information

Accounting Package (ACCPAC)

Accounting Package (ACCPAC) for the (ACCPAC) DHS/FEMA/PIA-024 June 8, 2012 Contact Point Cheryl Ferguson Office of Chief Financial Officer (540) 504-1783 Reviewing Official Mary Ellen Callahan Chief Privacy Officer Department of

More information

United States Trustee Program

United States Trustee Program United States Trustee Program Privacy Impact Assessment for the Credit Counseling/Debtor Education System (CC/DE System) Issued by: Larry Wahlquist, Privacy Point of Contact Reviewed by: Approved by: Vance

More information

Directory Services and Email System (DSES)

Directory Services and Email System (DSES) for the Directory Services and Email System (DSES) Contact Point James Kief Functional Area Manager Department of Homeland Security/US Coast Guard (304) 264-2573 Reviewing Official Hugo Teufel III Chief

More information

United States Visitor and Immigrant Status Indicator Technology Program (US-VISIT)

United States Visitor and Immigrant Status Indicator Technology Program (US-VISIT) for the Conversion to 10-Fingerprint Collection for the United States Visitor and Immigrant Status Indicator Technology Program (US-VISIT) November 15, 2007 Contact Point Barbara M. Harrison, Acting Privacy

More information

Crew Member Self Defense Training (CMSDT) Program

Crew Member Self Defense Training (CMSDT) Program for the Crew Member Self Defense Training (CMSDT) Program February 6, 2008 Contact Point Michael Rigney Federal Air Marshal Service Flight Programs Division Michael.Rigney@dhs.gov Reviewing Officials Peter

More information

Online Detainee Locator System

Online Detainee Locator System for the Online Detainee Locator System April 9, 2010 Contact Point James Chaparro Director, Office of Detention and Removal Operations U.S. Immigration and Customs Enforcement (202) 732-3100 Reviewing

More information

Privacy Impact Assessment for the. E-Verify Self Check. March 4, 2011

Privacy Impact Assessment for the. E-Verify Self Check. March 4, 2011 for the E-Verify Self Check March 4, 2011 Contact Point Janice M. Jackson Privacy Branch, Verification Division United States Citizenship and Immigration Services 202-443-0109 Reviewing Official Mary Ellen

More information

August 29 2014. Reviewing Official Karen L. Neuman Chief Privacy Officer Department of Homeland Security (202) 343-1717

August 29 2014. Reviewing Official Karen L. Neuman Chief Privacy Officer Department of Homeland Security (202) 343-1717 for the Federal Insurance and Mitigation Administration (FIMA) Risk Insurance Division (RID) Underwriting and Claims Operation Review Tool (U-CORT) DHS/FEMA/PIA-039 August 29 2014 Contact Point Bonnie

More information

PRIVACY IMPACT ASSESSMENT (PIA) GUIDE

PRIVACY IMPACT ASSESSMENT (PIA) GUIDE U.S. Securities and Exchange Commission Office of Information Technology Alexandria, VA PRIVACY IMPACT ASSESSMENT (PIA) GUIDE Revised January 2007 Privacy Office Office of Information Technology PRIVACY

More information

Privacy Impact Assessment

Privacy Impact Assessment AUGUST 16, 2013 Privacy Impact Assessment CIVIL PENALTY FUND AND BUREAU-ADMINISTERED REDRESS PROGRAM Contact Point: Claire Stapleton Chief Privacy Officer 1700 G Street, NW Washington, DC 20552 202-435-7220

More information

Immigration and Customs Enforcement Forensic Analysis of Electronic Media

Immigration and Customs Enforcement Forensic Analysis of Electronic Media for the Immigration and Customs Enforcement Forensic Analysis of Electronic Media DHS/ICE/PIA-042 May 11, 2015 Contact Point Peter T. Edge Executive Assistant Director Homeland Security Investigations

More information

Customer Scheduling and Services

Customer Scheduling and Services for the Customer Scheduling and Services DHS/USCIS/PIA-046 March 25, 2014 Contact Point Donald K. Hawkins Privacy Officer U.S. Citizenship and Immigration Services (202) 272-8000 Reviewing Official Karen

More information

Privacy Impact Assessment

Privacy Impact Assessment Technology, Planning, Architecture, & E-Government Version: 1.1 Date: April 14, 2011 Prepared for: USDA OCIO TPA&E Privacy Impact Assessment for the April 14, 2011 Contact Point Charles McClam Deputy Chief

More information

Privacy Impact Assessment for Threat Assessments for Access to Sensitive Security Information for Use in Litigation December 28, 2006

Privacy Impact Assessment for Threat Assessments for Access to Sensitive Security Information for Use in Litigation December 28, 2006 for Threat Assessments for Access to Sensitive Security Information for Use in Litigation December 28, 2006 Contact Point Andrew Colsky Sensitive Security Information (SSI) Office SSI@dhs.gov Reviewing

More information

May 2 1,2009. Re: DHS Data Privacy and Integrity Advisory Committee White Paper on DHS Information Sharing and Access Agreements

May 2 1,2009. Re: DHS Data Privacy and Integrity Advisory Committee White Paper on DHS Information Sharing and Access Agreements J. Howard Beales Chair, DHS Data Privacy and Integrity Advisory Committee Via Hand Delivery Secretary Janet Napolitano Department of Homeland Security Washington, DC 20528 Ms. Mary Ellen Callahan Chief

More information

Privacy Impact Assessment for the. FALCON Tipline DHS/ICE/PIA-033. November 2, 2012

Privacy Impact Assessment for the. FALCON Tipline DHS/ICE/PIA-033. November 2, 2012 for the FALCON Tipline DHS/ICE/PIA-033 November 2, 2012 Contact Point James Dinkins Executive Associate Director Homeland Security Investigations U.S. Immigration & Customs Enforcement (202) 732-5100 Reviewing

More information

US-VISIT Five Country Joint Enrollment and Information-Sharing Project (FCC)

US-VISIT Five Country Joint Enrollment and Information-Sharing Project (FCC) for the Five Country Joint Enrollment and Information-Sharing Project (FCC) November 2, 2009 Contact Point Paul Hasson, Privacy Officer Program National Protection & Programs Directorate (202) 298-5200

More information

United States Department of State Privacy Impact Assessment Risk Analysis and Management

United States Department of State Privacy Impact Assessment Risk Analysis and Management United States Department of State Privacy Impact Assessment Risk Analysis and Management Bureau of Administration 1. Contact Information Risk Analysis and Management (RAM) PIA Department of State Privacy

More information

Privacy Impact Assessment

Privacy Impact Assessment SEPTEMBER 27, 2012 Privacy Impact Assessment NATIONWIDE MORTGAGE LICENSING SYSTEM AND REGISTRY Contact Point: Claire Stapleton Chief Privacy Officer 1700 G Street, NW Washington, DC 20552 202-435-7220

More information

Screening of Passengers by Observation Techniques (SPOT) Program

Screening of Passengers by Observation Techniques (SPOT) Program for the Screening of Passengers by Observation Techniques (SPOT) Program August 5, 2008 Contact Point Michael Kimlick, Branch Chief, Behavior Detection and Travel Document Validation Branch, Screening

More information

Privacy Impact Assessment for TRUFONE Inmate Telephone System

Privacy Impact Assessment for TRUFONE Inmate Telephone System Federal Bureau of Prisons Privacy Impact Assessment for TRUFONE Inmate Telephone System Issued by: Sonya D. Thompson Reviewed by: Approved by: Vance E. Hitch, Chief Information Officer, Department of Justice

More information

Hiring Information Tracking System (HITS)

Hiring Information Tracking System (HITS) for the Hiring Information Tracking System (HITS) May 13, 2010 Contact Point Robert Parsons Director, Office of Human Capital U.S. Immigration and Customs Enforcement (202) 732-7770 Reviewing Official

More information

Privacy Impact Assessment Consumer Complaint Management System II (CCMS II)

Privacy Impact Assessment Consumer Complaint Management System II (CCMS II) Consumer Complaint Management System II (CCMS II) Version: 2.5 Date: September 28, 2012 Prepared for: USDA OPHS HHSD Abstract This document serves as the Privacy Impact Assessment for the CCMS II. The

More information

ICE Pattern Analysis and Information Collection (ICEPIC)

ICE Pattern Analysis and Information Collection (ICEPIC) for the ICE Pattern Analysis and Information Collection (ICEPIC) January 25, 2008 Contact Point Marcy Forman Director Office of Investigations U.S. Immigration and Customs Enforcement (202) 514-0078 Reviewing

More information

Privacy Impact Assessment for the. E-Verify Self Check. DHS/USCIS/PIA-030(b) September 06, 2013

Privacy Impact Assessment for the. E-Verify Self Check. DHS/USCIS/PIA-030(b) September 06, 2013 for the E-Verify Self Check DHS/USCIS/PIA-030(b) September 06, 2013 Contact Point Donald K. Hawkins Privacy Officer United States Citizenship and Immigration Services (202) 272-8030 Reviewing Official

More information

United States Citizenship and Immigration Services (USCIS) Enterprise Service Bus (ESB)

United States Citizenship and Immigration Services (USCIS) Enterprise Service Bus (ESB) for the United States Citizenship and Immigration Services (USCIS) June 22, 2007 Contact Point Harry Hopkins Office of Information Technology (OIT) (202) 272-8953 Reviewing Official Hugo Teufel III Chief

More information

LITIGATION SUPPORT SYSTEM (SYSTEM NAME)

LITIGATION SUPPORT SYSTEM (SYSTEM NAME) Privacy Impact Assessment Form LITIGATION SUPPORT SYSTEM (SYSTEM NAME) This template is used when the Chief Privacy Officer determines that the system contains Personally Identifiable Information and a

More information

Privacy Impact Assessment (PIA) Waiver Review System (WRS) Version 03.06.01.01. Last Updated: December 2, 2013

Privacy Impact Assessment (PIA) Waiver Review System (WRS) Version 03.06.01.01. Last Updated: December 2, 2013 United States Department of State (PIA) Waiver Review System (WRS) Version 03.06.01.01 Last Updated: December 2, 2013 Bureau of Administration 1. Contact Information Department of State Privacy Coordinator

More information

Operational Data Store (ODS) and Enterprise Data Warehouse (EDW)

Operational Data Store (ODS) and Enterprise Data Warehouse (EDW) for the Operational Data Store (ODS) and Enterprise Data Warehouse (EDW) DHS/FEMA/PIA-026 June 29, 2012 Contact Point Anabela Serra Enterprise Data Warehouse Program Manager Office of the Chief Information

More information

Privacy Impact Assessment

Privacy Impact Assessment Privacy Impact Assessment For: Education Investigative Tracking System (EDITS) Date: April 10, 2013 Point of Contact: Hui Yang System Owner: Wanda A. Scott Author: William Hamel Office of Inspector General

More information

Financial Disclosure Management (FDM)

Financial Disclosure Management (FDM) for the Financial Disclosure Management (FDM) September 30, 2008 Contact Point Cynthia D. Morgan, Financial Disclosure Program Manager Ethics Division Office of General Counsel (202) 447-3514 Reviewing

More information

Background Check Service

Background Check Service for the Background Check Service Contact Point Elizabeth Gaffin USCIS Privacy Officer United States Citizenship and Immigration Services 202-272-1400 Reviewing Official Hugo Teufel III Chief Privacy Officer

More information

Federal Bureau of Prisons. Privacy Impact Assessment for the HR Automation System. Issued by: Sonya D. Thompson Deputy Assistant Director/CIO

Federal Bureau of Prisons. Privacy Impact Assessment for the HR Automation System. Issued by: Sonya D. Thompson Deputy Assistant Director/CIO Federal Bureau of Prisons Privacy Impact Assessment for the HR Automation System Issued by: Sonya D. Thompson Deputy Assistant Director/CIO Reviewed by: Approved by: Eric Olson, Acting Chief Information

More information

Privacy Impact Assessment

Privacy Impact Assessment MAY 24, 2012 Privacy Impact Assessment matters management system Contact Point: Claire Stapleton Chief Privacy Officer 1700 G Street, NW Washington, DC 20552 202-435-7220 claire.stapleton@cfpb.gov DOCUMENT

More information

Federal Trade Commission Privacy Impact Assessment for:

Federal Trade Commission Privacy Impact Assessment for: Federal Trade Commission Privacy Impact Assessment for: DCBE Websites and Blogs Consumer.ftc.gov, Consumidor.ftc.gov, OnGuardOnline, AlertaenLinea, Consumer.gov, Consumidor.gov and the BCP Business Center

More information

Privacy Impact Assessment Forest Service Computer Base Legacy

Privacy Impact Assessment Forest Service Computer Base Legacy Forest Service Computer Base Legacy Cyber and Privacy Policy and Oversight Version: 2.0 Date: July 19, 2010 Prepared for: USDA OCIO CPPO Privacy Impact Assessment for the Forest Service Computer Base Legacy

More information

Privacy Act of 1974; Department of Homeland Security <Component Name> - <SORN. AGENCY: Department of Homeland Security, Privacy Office.

Privacy Act of 1974; Department of Homeland Security <Component Name> - <SORN. AGENCY: Department of Homeland Security, Privacy Office. DEPARTMENT OF HOMELAND SECURITY Office of the Secretary [Docket No. DHS-2014-] Privacy Act of 1974; Department of Homeland Security -

More information

9/11 Heroes Stamp Act of 2001 File System

9/11 Heroes Stamp Act of 2001 File System for the 9/11 Heroes Stamp Act of 2001 File System Contact Point Elizabeth Edge US Fire Administration Federal Emergency Management Agency (202) 646-3675 Reviewing Official Nuala O Connor Kelly Chief Privacy

More information

DHS SharePoint and Collaboration Sites

DHS SharePoint and Collaboration Sites for the March 22, 2011 Robert Morningstar Information Systems Security Manager DHS Office of the Chief Information Officer/Enterprise Service Delivery Office (202) 447-0467 Reviewing Official Mary Ellen

More information

Quality Assurance Recording System

Quality Assurance Recording System for the November 10, 2010 Point of Contact Sharmont André Smith Texas National Processing Service Center (940) 891-8762 Reviewing Official Mary Ellen Callahan Chief Privacy Officer Department of Homeland

More information

Chemical Security Assessment Tool (CSAT)

Chemical Security Assessment Tool (CSAT) for the Chemical Security Assessment Tool (CSAT) May 25, 2007 Contact Point Matt Bettridge Infrastructure Partnership Division 703-235-5495 Reviewing Official Hugo Teufel, III Chief Privacy Officer Department

More information

Privacy Impact Assessment for the Volunteer/Contractor Information System

Privacy Impact Assessment for the Volunteer/Contractor Information System Federal Bureau of Prisons Privacy Impact Assessment for the Volunteer/Contractor Information System Issued by: Sonya D. Thompson Deputy Assistant Director/CIO Reviewed by: Approved by: Vance E. Hitch,

More information

28042 Federal Register / Vol. 75, No. 96 / Wednesday, May 19, 2010 / Notices

28042 Federal Register / Vol. 75, No. 96 / Wednesday, May 19, 2010 / Notices 28042 Federal Register / Vol. 75, No. 96 / Wednesday, May 19, 2010 / Notices the records are part of an on-going investigation in which case they may be retained until completion of the investigation.

More information

Privacy Impact Assessment for the. ICEGangs Database. January 15, 2010

Privacy Impact Assessment for the. ICEGangs Database. January 15, 2010 for the Database January 15, 2010 Contact Point Kumar Kibble Acting Director, Office of Investigations U.S. (202) 732-5100 Reviewing Official Mary Ellen Callahan Chief Privacy Officer Department of Homeland

More information

Virginia Systems Repository (VSR): Data Repositories DHS/FEMA/PIA 038(a)

Virginia Systems Repository (VSR): Data Repositories DHS/FEMA/PIA 038(a) for the (VSR): DHS/FEMA/PIA 038(a) May 12, 2014 Contact Point Tammy Rinard Recovery Directorate (540) 686-3754 Reviewing Official Karen L. Neuman Chief Privacy Officer Department of Homeland Security (202)

More information

Electronic Fingerprint System (EFS)

Electronic Fingerprint System (EFS) for the DHS/FEMA/PIA-034 September 24, 2013 Contact Point J'son Tyson Identity, Credential & Access Management Section Chief Office of the Chief Security Officer (202) 646-1898 Reviewing Official Jonathan

More information

Privacy Impact Assessment (PIA)

Privacy Impact Assessment (PIA) Privacy Impact Assessment () Farm Service Agency Customer Name/Address Systems (CN/AS) Customer Name/Address (CN/A) Revised: November 09, 2012 Template Version: FSA--2011-08-19-A Customer Name/Address

More information

National Customer Service Center

National Customer Service Center for the National Customer Service Center DHS/USCIS/PIA-054 July 14, 2014 Contact Point Donald Hawkins Privacy Officer United States Citizenship and Immigration Services Department of Homeland Security

More information

Federal Trade Commission Privacy Impact Assessment

Federal Trade Commission Privacy Impact Assessment Federal Trade Commission Privacy Impact Assessment for the: W120023 ONLINE FAX SERVICE December 2012 1 System Overview The Federal Trade Commission (FTC, Commission or the agency) is an independent federal

More information

Federal Trade Commission Privacy Impact Assessment. for the: Analytics Consulting LLC Claims Management System and Online Claim Submission Website

Federal Trade Commission Privacy Impact Assessment. for the: Analytics Consulting LLC Claims Management System and Online Claim Submission Website Federal Trade Commission Privacy Impact Assessment for the: Analytics Consulting LLC Claims Management System and Online Claim Submission Website January 2015 Page 1 of 14 1 System Overview The Federal

More information

Federal Protective Service Dispatch and Incident Record Management Systems

Federal Protective Service Dispatch and Incident Record Management Systems for the Federal Protective Service Dispatch and Incident Record Management Systems September 16, 2009 Contact Point Gary Schenkel Director, Federal Protective Service U.S. Immigration and Customs Enforcement

More information

Federal Trade Commission Privacy Impact Assessment. for the: Secure File Transfer System

Federal Trade Commission Privacy Impact Assessment. for the: Secure File Transfer System Federal Trade Commission Privacy Impact Assessment for the: Secure File Transfer System June 2011 1 System Overview The Federal Trade Commission (FTC, Commission or the agency) is an independent federal

More information

Federal Trade Commission Privacy Impact Assessment. for the: Gilardi & Co., LLC Claims Management System and Online Claim Submission Website

Federal Trade Commission Privacy Impact Assessment. for the: Gilardi & Co., LLC Claims Management System and Online Claim Submission Website Federal Trade Commission Privacy Impact Assessment for the: Gilardi & Co., LLC Claims Management System and Online Claim Submission Website January 2015 Page 1 of 14 1 System Overview The Federal Trade

More information

Privacy Impact Assessment for the. January 19, 2007

Privacy Impact Assessment for the. January 19, 2007 for the National Emergency Management Information System Mitigation (MT) Electronic Grants Management System (NEMIS-MT egrants) January 19, 2007 Contact Point Shabbar Saifee Federal Emergency Management

More information

3. Characterization of the Information

3. Characterization of the Information 1. Contact Information Department of State Privacy Coordinator Margaret P. Grafeld Bureau of Administration Global Information Services Office of Information Programs and Services 2. System Information

More information

FHFA. Privacy Impact Assessment Template FM: SYSTEMS (SYSTEM NAME)

FHFA. Privacy Impact Assessment Template FM: SYSTEMS (SYSTEM NAME) FHFA Privacy Impact Assessment Template FM: SYSTEMS (SYSTEM NAME) This template is used when the Chief Privacy Officer determines that the system contains Personally Identifiable Information and a more

More information

e-law Enforcement Officer Logbook Program

e-law Enforcement Officer Logbook Program for the e-law Enforcement Officer Logbook Program August 31, 2009 Contact Point Ted Bradford Office of Law Enforcement Federal Air Marshal Service Liaison Division Edward.Bradford@dhs.gov Reviewing Officials

More information

Integrated Digitization Document Management Program (IDDMP)

Integrated Digitization Document Management Program (IDDMP) for the Integrated Digitization Document Management Program (IDDMP) DHS/USCIS/PIA-003(a) September 24, 2013 Contact Point Donald Hawkins Privacy Officer United States Citizenship and Immigration Services

More information

Commodity Futures Trading Commission Privacy Impact Assessment

Commodity Futures Trading Commission Privacy Impact Assessment Commodity Futures Trading Commission Privacy Impact Assessment System Name: CFTC Portal OPERA (Updated April 16, 2015) 1. Overview The Commodity Futures Trading Commission s ( Commission or CFTC ) Portal

More information

Cell All Demonstration

Cell All Demonstration for the Cell All Demonstration March 2, 2011 Contact Point Stephen Dennis HSARPA Technical Director (202) 254-5788 Reviewing Official Mary Ellen Callahan Chief Privacy Officer Department of Homeland Security

More information

Department of the Interior Privacy Impact Assessment

Department of the Interior Privacy Impact Assessment Department of the Interior August 15, 2014 Name of Project: email Enterprise Records and Document Management System (eerdms) Bureau: Office of the Secretary Project s Unique ID: Not Applicable A. CONTACT

More information

Privacy Impact Assessment for the. Standardized Tracking and Accounting Reporting System- Financial Management System (STARS-FMS)

Privacy Impact Assessment for the. Standardized Tracking and Accounting Reporting System- Financial Management System (STARS-FMS) Privacy Impact Assessment for the Standardized Tracking and Accounting Reporting System- Financial Management System (STARS-FMS) United States Marshals Service Contact Point William E. Bordley Associate

More information

Federal Bureau of Prisons

Federal Bureau of Prisons Federal Bureau of Prisons Privacy Impact Assessment for the Forensic Laboratory Issued by: Sonya D. Thompson, Senior Component Official for Privacy, Sr. Deputy Assistant Director/CIO Approved by: Erika

More information

HSIN R3 User Accounts: Manual Identity Proofing Process

HSIN R3 User Accounts: Manual Identity Proofing Process for the HSIN R3 User Accounts: Manual Identity Proofing Process DHS/OPS/PIA-008(a) January 15, 2013 Contact Point James Lanoue DHS Operations HSIN Program Management Office (202) 282-9580 Reviewing Official

More information

Privacy Act of 1974; Department of Transportation, Federal Aviation Administration,

Privacy Act of 1974; Department of Transportation, Federal Aviation Administration, (4910-62-P) DEPARTMENT OF TRANSPORTATION Office of the Secretary Docket No. DOT-OST-2015-0235 Privacy Act of 1974; Department of Transportation, Federal Aviation Administration, DOT/FAA-801; Aircraft Registration

More information

Department of State SharePoint Server PIA

Department of State SharePoint Server PIA 1. Contact Information A/GIS/IPS Director Department of State SharePoint Server PIA Bureau of Administration Global Information Services Office of Information Programs and Services 2. System Information

More information

DHS / UKvisas Project

DHS / UKvisas Project for the DHS / UKvisas Project November 14, 2007 Contact Point Elizabeth Gaffin Associate Counsel United States Citizenship and Immigration Services 202-272-1400 Reviewing Official Hugo Teufel III Chief

More information

Privacy Impact Assessment

Privacy Impact Assessment DECEMBER 20, 2013 Privacy Impact Assessment MARKET ANALYSIS OF ADMINISTRATIVE DATA UNDER RESEARCH AUTHORITIES Contact Point: Claire Stapleton Chief Privacy Officer 1700 G Street, NW Washington, DC 20552

More information

Federal Trade Commission Privacy Impact Assessment. for the:

Federal Trade Commission Privacy Impact Assessment. for the: Federal Trade Commission Privacy Impact Assessment for the: Rust Consulting, Inc. Integrated Settlement Information System and Online Claim Submission Websites January 2015 Page 1 of 15 1 System Overview

More information

Quality Assurance Recording System

Quality Assurance Recording System for the DHS/FEMA/PIA-015 August 15, 2014 Contact Point Aaron Colton National Processing Service Center Federal Emergency Management Agency (940) 891-8762 Reviewing Official Karen L. Neuman Chief Privacy

More information

Computer Linked Application Information Management System

Computer Linked Application Information Management System for the Computer Linked Application Information Management System DHS/USCIS/PIA-015(a) August 31, 2011 Contact Point Donald Hawkins Privacy Officer United States Citizenship and Immigration Services (202)

More information

Federal Bureau of Prisons

Federal Bureau of Prisons Federal Bureau of Prisons Privacy Impact Assessment for the Correspondence Tracking System (CTS) Issued by: Sonya D. Thompson Sr. Deputy Assistant Director/CIO Reviewed by: Approved by: Luke J. McCormack,

More information

Privacy Act of 1974; Department of Homeland Security/United States Coast Guard-015. AGENCY: Privacy Office, Department of Homeland Security.

Privacy Act of 1974; Department of Homeland Security/United States Coast Guard-015. AGENCY: Privacy Office, Department of Homeland Security. This document is scheduled to be published in the Federal Register on 07/14/2016 and available online at http://federalregister.gov/a/2016-16598, and on FDsys.gov 9110-04 DEPARTMENT OF HOMELAND SECURITY

More information

Recruit Analysis and Tracking System

Recruit Analysis and Tracking System for the November 30, 2009 Contact Point Tom DeGeorge Mission Support United States Coast Guard Recruiting Command (703) 235-1715 Reviewing Official Mary Ellen Callahan Chief Privacy Officer Department

More information

1. Contact Information. 2. System Information. Privacy Impact Assessment (PIA)

1. Contact Information. 2. System Information. Privacy Impact Assessment (PIA) 1. Contact Information Privacy Impact Assessment (PIA) Department of State Privacy Coordinator Margaret P. Grafeld Bureau of Administration Information Sharing Services Office of Information Programs and

More information

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU) Privacy Impact Assessment (PIA) for the Cyber Security Assessment and Management (CSAM) Certification & Accreditation (C&A) Web (SBU) Department of Justice Information Technology Security Staff (ITSS)

More information

DEPARTMENT OF THE INTERIOR. Privacy Impact Assessment Guide. Departmental Privacy Office Office of the Chief Information Officer

DEPARTMENT OF THE INTERIOR. Privacy Impact Assessment Guide. Departmental Privacy Office Office of the Chief Information Officer DEPARTMENT OF THE INTERIOR Privacy Impact Assessment Guide Departmental Privacy Office Office of the Chief Information Officer September 30, 2014 Table of Contents INTRODUCTION... 1 Section 1.0 - What

More information

Facial Recognition Data Collection Project

Facial Recognition Data Collection Project Update for the Facial Recognition Data Collection Project DHS/S&T STIDP/PIA-008(c) September 16, 2013 Contact Point Patricia Wolfhope Resilient Systems Division Science and Technology Directorate 202-254-5790

More information